NetWitness Community

Yes

What's New

The NetWitness 12.0.0.0 release provides new features and enhancements for every role in the Security Operations Center.

Upgrade Paths

The following upgrade paths are supported for NetWitness 12.0.0.0

NetWitness 11.6.0.0 to 12.0.0.0
NetWitness 11.6.0.1 to 12.0.0.0
NetWitness 11.6.1.0 to 12.0.0.0
NetWitness 11.6.1.1 to 12.0.0.0
NetWitness 11.6.1.2 to 12.0.0.0
NetWitness 11.6.1.3 to 12.0.0.0
NetWitness 11.6.1.4 to 12.0.0.0
NetWitness 11.7.0.0 to 12.0.0.0
NetWitness 11.7.0.1 to 12.0.0.0
NetWitness 11.7.0.2 to 12.0.0.0
NetWitness 11.7.1.0 to 12.0.0.0
NetWitness 11.7.1.1 to 12.0.0.0

For more information on upgrading to 12.0.0.0, see Upgrade Guide for NetWitness 12.0.0.0

Security Fixes

For more information on Security Fixes, see Security Advisories.

Product Version Life Cycle for NetWitness Platform

See for Product Version Life Cycle for NetWitness Platform a list of versions that reach End of Primary Support (EOPS).

Enhancements

The following sections are a complete list and description of enhancements to specific capabilities:

Policy Based Centralized Content Management
Springboard
Respond
Investigation
User Interface
Endpoint Investigation
Concentrator, Decoder, and Log Decoder Services
Event Stream Analysis (ESA)
Reports

To locate the documents that are referred to in this section, go to the NetWitness Master Table of Contents.

The Product Documentation section has links to the documentation for this release.

Policy Based Centralized Content Management

Policy based Centralized Content Management is a unified approach to find, deploy, and manage content through the entire life cycle based on policies that can be assigned to groups of devices. It is a single location to view, modify and manage the content deployed across all services in the environment.

Benefits of Policy based Centralized Content Management:

Add content from RSA Live or add your own custom content.
Add or remove content without repeating the process on each individual service.
Add a new service to an existing group to automatically deploy all necessary content.

12.0_AddService.png

One-click management of subscriptions and automatic updates
Provide highly responsive and updated UI for browsing RSA Live content that can help you with the following:

For more information, see Policy based Centralized Content Management topic in the Live Services Management Guide.

Springboard

The following section describes the new enhancements for the Springboard component:

Enhanced Springboard to Support New Built-in Panels

NetWitness Platform Springboard introduces five more out-of-the-box panels based on the events processed and presented on Springboard view. On the Springboard, Administrators and Analysts can now view the following panels of events data which helps in threat hunting and investigation:

MITRE ATT&CK tactics
MITRE ATT&CK techniques
Indicators of Compromise
Enablers of Compromise
Behaviors of Compromise

Administrators can customize these panels to display only the event-focused data for analysts to carry out further investigation.

For more information, see Managing the Springboard topic in NetWitness Platform Getting Started Guide.

Create Custom Springboard at the User Level

Administrators and Analysts can now add their own custom private board to the NetWitness Platform Springboard and add panels with important system indicators, which helps in threat hunting and investigation. The custom private board is visible only for users who created it. The board allows users to organize and manage information in an easy manner.

For more information, see Managing the Springboard topic in NetWitness Platform Getting Started Guide.

Automated Custom Springboard from Query

During investigation, Administrators and Analysts can add a Springboard panel from the Investigate > Events view. You can add any number of filters on the query search bar and convert them to Springboard panels for further detection and watch results. The newly added panels will be saved under a custom private board. The board will allow users to organize and manage information in an easy manner.

For more information, see Add Springboard Panels from Events view topic in NetWitness Platform Investigate User Guide.

Respond

The Respond view is enhanced to track and capture all the events performed by the users on an incident. The toolbar actions are enhanced to allow users select only the valid priority, status, and assignee for an incident.

Incident Workflow Enhancements

The following changes have been made to the Change Status drop-down list in the Respond > Incidents view:

Added the new Incident status Reopen to help users open the closed incidents.
Removed New and Assigned statuses but they are still displayed in the Status column in the Respond > Incidents > Incidents List view.
Streamlined the incident status change workflow. All the invalid statuses are grayed out, allowing the users to select only the valid status for any incident.

For more information, see Escalate or Remediate the Incident topic in the NetWitness Respond User Guide.

Incident Details View Enhancements

The new History Panel is added to display every action performed by the user on an incident. The various actions performed on an incident are as shown below:

Incident Assignee Change
Incident Status Change
Incident Priority Change
Incident Creation

For more information, see Incident Details View topic in the NetWitness Respond User Guide.

Incident Overview Panel Enhancements

The Incident Overview Panel is enhanced to include the following fields:

Time to Acknowledge(tta): Displays the time taken to assign an Incident after creating it.
Time to Detect(ttd): Displays the time taken for completing the task after the Incident is assigned.
Time to Resolve(ttr): Displays the time taken for closing the task after the Incident is created.
External ID: Allows storing the Incident ID referrals from a different platform.

For more information, see Incident Overview Panel topic in the NetWitness Respond User Guide.

Investigation

The following section describes the new enhancements for the Investigation component:

Indicators for Searchable Meta

The meta key and meta value pairings now display a binocular icon while viewing a text reconstruction in the Event Meta panel, indicating the search option. This enhancement helps the analysts to visually see the indication rather than going through the list of all metadata to figure out which ones may be searched.

For more information, see the NetWitness Platform Investigate User Guide.

Unified Discovery and Interaction of Events Metadata

Hosts and Files Alerts Details View

Analysts have a unified way to interact with events metadata presented in the Alerts tab of Hosts and Files details view to perform actions or review contextual information. Analysts can use the right and left click options to view the unified panel data.

For more information on Hosts and Files, see Analyze Hosts Using the Risk Score and Analyze Files Using the Risk Score topics in NetWitness Platform Endpoint User Guide.

Respond View

Analysts have a unified way to interact with events metadata presented in the Respond view to perform actions or review contextual information.

On the Respond Indicators panel, Nodal Graph, and Events List view, analysts can use the left and right click options to view the unified panel data.

For more information, see NetWitness Platform Respond User Guide.

Enhanced Querying on Events View to Exclude any Specific Meta

Analysts can now exclude particular meta values while querying using the NOT(meta contains 'meta value') option available in the investigate unified panel. The specified meta value is removed from the query results when you use NOT(meta contains 'meta value') with Append or Refocus option on a specific meta value. This enhancement helps the analysts to view only the required data results in an optimized manner and conduct further investigation efficiently.

For more information, see the NetWitness Platform Investigate User Guide.

View Encrypted Data in Decrypted Format

Analysts can directly view encrypted data that has been decrypted by the decoder, thereby reducing time and effort in converting data into readable format. The analysts can enable using the Display Decrypted Payload toggle option in the Events > Text view.

For more information, see the Text Reconstruction topic in the NetWitness Platform Investigate User Guide.

Select Custom Date and Time Range in the Events View

Analysts can set a custom range in the Investigate > Events view to select a specific time, date, month, and year using the calendar view that is displayed on clicking the Custom Range option. This enhancement helps the analysts to select date and time quickly and avoid manual intervention therefore avoiding human errors (typos).

For more information, see Select a Time Range topic in the NetWitness Platform Investigate User Guide.

User Interface

The following section describes the new enhancements for the NetWitness user interface:

NetWitness User Interface Enhancements

The 12.0.0.0 release includes the new NetWitness corporate logo. You can view the new logo in NetWitness Platform, which updates the identity of NetWitness as a trusted brand.

As part of the repositioning, we are renaming our product as NetWitness Platform XDR. This change aims to simplify communications and improve our customers' understanding of how each product secures and protects within the NetWitness portfolio.

Endpoint Investigation

The following section describes the new enhancements for the Endpoint component:

Detection of removable Storage Devices

NetWitness Endpoint Agents are enhanced with the capabilities to detect and report removable storage devices. The Endpoint agents will detect and report when a removable storage device is plugged in or removed. This enhancement provides analysts with extended threat detection capabilities. For more information, see the NetWitness Endpoint User Guide.

Block Multiple File Hashes Using an Imported File

Administrators can import a file with a list of known file hashes that are not present in the environment and block them as soon as they are detected. This enhancement will help analysts to block multiple hashes without manual intervention.

Support for Arm-based Windows Machines

Administrators can install Endpoint agents on Arm-based Windows machines. This enhancement provides analysts with threat detection capabilities on more types of devices.

Download MFT from Multiple Hosts in One Step

Analysts can now download MFT(Master File Table) from multiple hosts on the Hosts list view in one step. This enhancement helps analysts download MFT without opening the Host details view of each host. For more information, See Download Master File Table topic on NetWitness Endpoint User Guide.

Customizable Maximum File Download Limits

The limit to the maximum number of file downloads on the Endpoint server is enhanced. On the explore page of an Endpoint server, Administrators can set the limit from 100 to 1000 files. For more information, see Download Files Using Full Path or Wildcard on NetWitness Endpoint User Guide.

Redesigned Alert Details View for Endpoint Alerts in Respond

In the Respond view, the alert details view for Endpoint alerts shows end-to-end details about an alert. The details are presented in the form of a process tree along with a right panel that provides detailed information about the alert categorized into the following sections:

Summary: A short summary of the alert.
Event Details: Shows the directory, user, hash, signature, risk score, etc.
Process Details: Shows the tactics, techniques, times and details about the targets.
Network Connections: Shows any network connection established ten minutes before and till ten minutes after the alert triggered time.
Origin: Shows how the selected file in the process tree is originated.
Exists on Hosts: The host in which the selected file in the process tree exists.

Besides the above sections, the Investigate Timeline takes to the investigate view that has more detailed information.

For more information, see Review Endpoint Alerts using Process Tree on the NetWitness Respond User Guide.

Concentrator, Decoder, and Log Decoder Services

The following section describes the new enhancements for the Concentrator, Decoder, and Log Decoder components:

Log Parsing Enhancements

The following log parsing enhancements are made in 12.0.0.0 version. These are new elements that you use in the creation of a log parser:

New Selector Parsing Element Added to Dynamically Map Captured Values to a Meta Key

This will allow the log parser to automatically choose from two or more optional meta keys to assign to a parsed value depending upon the value of another meta key. Consider the following sample log snippet:

12.0_Selector.png

In the above example, if the value of Direction is ”src”, then the preferred meta key to use for the value of Address would likely be ip.src. Conversely, if the value for Direction is ”dest”, then the meta key ip.dst might be preferred. This can now be achieved with the new SELECTOR log parsing element.

Support for Advanced Parsing Elements within CEF Parser and DataType

Support added to CEF parser for VARTYPE, SCANNED, DataType, and Selector parsing elements.

Allows the CEF parser to take advantage of the fine parsing capabilities found in other parsers.

Dynamic parsing support including PARSERULESCAN added to DataType parsing element.

Allows nesting of dynamic parsing elements (parse rules) from within an existing DataType.

Enhanced Network Decoder to Decrypt Incoming TLS 1.3 Packets

The enhanced network packet decryption capability helps inspect TLS 1.3 encrypted communications using ephemeral session keys. Administrators can configure Network Decoder to enable decryption of incoming TLS 1.3 network packets.

For more information, see the NetWitness Decoder Configuration Guide.

Event Stream Analysis (ESA)

The Event Stream Analysis is enhanced to reduce the time consumed for new rules deployment.

Improved ESA Rules Deployment

The ESA Rule Deployment has been enhanced with a new option to deploy the rules faster. If you want to push rule-related changes, you can quickly deploy the new rules by clicking the Fast Deploy option. For more information, see Alerting with ESA Correlation Rules User Guide.

Reports

The following section describes the new enhancements for the Reports component:

Build Rule View Enhancements

The Build Rule view is enhanced to help users view the following information in the report generated:

The average time taken to assign the incident.
The average time taken to complete the task.
The average time taken to close the incident.

The following changes have been made in the Build Rule view:

Two new options are added in the From field:
- incidentStats: The following metas are supported for incidentStats:
  1. created
  2. mtta.time: Displays the average time taken to acknowledge the incidents in a single day.
  3. mtta.count: Displays the number of incidents acknowledged in a single day.
  4. mttd.count: Displays the number of incidents detected in a single day.
  5. mttd.time: Displays the average time taken to detect the incidents in a single day.
  6. mttr.time: Displays the average time taken to resolve the incidents in a single day.
  7. mttr.count: Displays the number of incidents resolved in a single day.
  These metas are displayed in the report generated. Refer the following figure.
- incidentUserStats: The following metas are supported for incidentUserStats:
  1. userName: Displays the assignee's or the user's ID for the associated user stats.
  2. totalClosedCount: Displays the total number of Incidents closed by the assignee till date.
  3. meanTimeToDetect: Displays the average time taken by the user to detect the incidents in the time range selected.
  4. mttdCount: Displays the count of incidents contributing to the MTTD value computed.
  5. incidentIds: Displays the list of incident IDs closed by the user during the time range selected.
  These metas are displayed in the report generated. Refer the following figure.
New metas are added for incident. The newly added metas are as shown below:
- assignee.id
- tta(Time to Acknowledge): Displays the time taken to assign an Incident after creating it.
- ttd(Time to Detect): Displays the time taken for completing the task after the Incident is assigned.
- ttr(Time to Resolve): Displays the time taken for closing the task after the Incident is created.
  
  These metas are populated on the Test Rule view. Refer the following figure.
  
  For more information, see the Create a Rule Using Respond Data Source topic in the NetWitness Reporting User Guide.